Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Active directoryaccountprovisioningwp
1. Active Directory Account
Provisioning
A lower cost and faster alternative to
Identity Management
Contents June 1, 2004
Introduction: ..........................3
With 29% of total annual IT time spent updating user account
User Account Creation Today3 information , organizations are struggling to find an economical
Account Changes 4 solution to reduce the expense and resources required to manage
the user account lifecycle.1 Active Directory account
Account Expirations 5 provisioning takes advantage of the fact that the majority of
Multiple Data Stores 5 account management activities occur in Active Directory, and
focuses on streamlining these activities to get quickest time to
Identity Management.............6 value.
Dream BigStart Small 8 This white paper explains how organizations can use the NetIQ
Active Directory account provisioning solution to extend Active
Leveraging Your Active
Directory and address the majority of their user account lifecycle
Directory Investment .............9
needs. It explains how an organization can combine the NetIQ
off-the-shelf products to address key account management
The NetIQ Solution ..............10
issues, while laying the ground work for a complete user account
lifecycle management solution. This flexible approach allows
Customer examples..............12
organizations to implement Active Directory account
Conclusion ............................13 provisioning in steps, as they have budget, and provides
immediate ROI on account management projects.
Besides reviewing the information in this paper, NetIQ
encourages you to visit our web site at www.netiq.com for more
details.
3. Introduction:
Remember thirty years ago, when Human Resources was called Personnel and the human
resource data store was a dark file room filled with gray metal file cabinets? In those
days, if an organization was computerized, it had a single information system running a
small number of applications. When new people joined the organization, Personnel
created a new file folder and added it to the appropriate file cabinet. If the new employee
needed regular access to the information system, the information systems manager would
create an account and logon for the specified application. If the new employee only
needed occasional access, he might share a “guest” account with the rest of the
organization.
Back then, the process to create user accounts and logons was usually a manual one, with
paper forms and approvals. Since the systems administrators were the ones creating
accounts, as well as doing all the other administrative tasks, it might take a week or so for
the new account to be created. It was also relatively simple to keep track of who had
access to which applications, since the number of applications was limited and few
people had access to them.
User Account Creation Today
These days, most employees will have access to several systems and applications, each
with its own account and logon information. To put the problem in perspective,
according to Computerworld, in 1995 IT departments supported an average of 25
applications per user and by 2001 that number had grown to 100 – 200.2 META research
shows that organizations with revenues over $500 million typically have more than 75
applications, databases, and systems that require authentication.3
The amount of work to create all the necessary accounts on these different systems has
grown exponentially. Even with today’s more advanced processes and systems, new
employees still have to wait to get access to the systems they need. In a recent study by
Stanford and Hong Kong universities of 200 Global 2000 companies, 48% of companies
reported taking more than two days to provide a new hire with access to all the systems
they need, and 10% reported taking more than two weeks.4 With many employees’ jobs
directly related to interfacing with computer systems, delays in setting up new user
accounts costs organizations directly in lost productivity and employee downtime.
Even though new account creation can involve critical areas like enterprise security and
touches many different systems and applications, new user account requests are
frequently done in an informal manner. They are submitted manually on outdated forms,
sent on paper through interoffice mail, phoned into the help desk, mentioned off-
handedly in passing, or emailed to various locations for approvals and authorizations, all
before even entering the IT work queue. This ad hoc approvals and notification process
frequently slows down the new account creation and causes many of the delays reported
in research. This type of distributed process can create security issues since there is no
central authority overseeing which systems new accounts are being granted access to.
With multiple people setting up new accounts, policies and naming conventions are also
difficult to enforce.
Active Directory Account Provisioning 3
4. Account Changes
As if new account creations were not enough to worry about, employee data is always
changing. Employees change cell phone numbers, addresses, last names, titles,
extensions, and office numbers. They can also change departments, organizational
levels, business units, and locations. All of these changes need to be reflected in the user
account information, but some of these changes also impact access to systems and
applications.
For example, an employee moving from New York to Boston will need accounts on the
Boston mail server, but may no longer need access to the New York file server. In the
case of promotions, employees who may have only had read access to certain data may
now need the ability to make modifications, or may now need access to additional data.
Figuring out the system ramifications of each of the changes is time consuming and
difficult. Frequently IT organizations identify and enable access to the key systems
involved in a change, like email, but wait for the affected employee to make access
requests for the other systems. Unfortunately, this reactive approach increases downtime
and can negatively affect employee productivity. Keeping track of these changes so that
all users have the access they need, and only the access they need, is an-going challenge
for many IT organizations.
Figure 1. Efficiently managing the user account lifecycle can reduce help desk calls
and account administration costs, while improving user productivity and security.
Active Directory Account Provisioning 4
5. Account Expirations
As forward thinking IT managers frequently point out, at some point every employee
leaves the organization. When employees leave, all of their access points need to be
identified and disabled to prevent possible security problems. Every second an account is
not deactivated, creates a window hackers and disgruntled ex-employees can use to gain
unauthorized access to your systems. Even though most IT managers recognize this
threat, according to the Stanford Hong Kong study 43% of companies surveyed take
more than two days to disable user access and 15% take more than two weeks.5 Two
weeks is an enormous amount of time to leave your system vulnerable.
Even more concerning is the fact many organizations do not disable all the accounts
associated with a user. In fact, according to IDC expired user accounts make up
approximately 60% of all accounts in corporate systems6. The difficulty of keeping track
of what each employee has access to, is likely the culprit of these expired user accounts.
But regardless of the reason, expired user accounts present a serious security concern.
From an economic standpoint, expired user accounts are also expensive. Many software
applications charge license fees based on the number of user accounts in an environment,
but are unable to distinguish between active and inactive accounts. In addition, inactive
accounts are expensive to manage as they increase the time required to perform any
account management activity. The clear drivers that are pushing organizations to address
the user account management problem are identifying and disabling expired user
accounts and removing the associated security vulnerabilities and administrative
expenses.
Multiple Data Stores
Adding yet another layer of complexity on the issue of user account management is the
fact that organizations have multiple data stores. META Group research shows that
organizations with revenues greater than $500 million typically have around 68 internal
and 12 external data stores. META also shows that 75% of internal users are contained
in multiple data stores.7 This means that when you need to make a change an employee’s
information or access rights, you have to make that change in multiple places.
Coordinating and managing changes across multiple data stores is expensive. Every time
an employee changes departments or a new employee is added, an IT resource has to
manually enter redundant data in approximately four different applications or systems—8
assuming the IT resource has access to all the different data stores. Frequently these data
repositories are independently owned, managed by different departments or business
units and updates have to be coordinated manually or over e-mail.
Active Directory Account Provisioning 5
6. It is easy to see how the time and expense can accumulate even when making the
simplest changes. In addition, making changes in different places also increases the
likelihood of inaccuracies and inconsistencies across the data. With employees having
account data in multiple locations, it becomes very likely that a change is made in one
data repository and not in another, which leads to problems of data accuracy and
consistency. According to META, 11% of employees will experience a user access
rights issue and 7% an incorrect personal information issue each month9. Unfortunately
it is frequently the over burdened IT organization that has to identify and correct all these
issues.
The daily flow of user account changes is overwhelming many IT organizations.
Industry estimates put 29% of total IT time spent modifying user account information
annually10. In an effort to cope with the increasing administrative demands of managing
user account changes, many IT organizations have pushed account maintenance off to
lower level administrators and help desk personnel. No matter who does the actual
account creation, the process itself is time-consuming and repetitive. Data has to be
gathered from multiple sources, entered multiple times in varying formats into different
access directories, and a rote set of tasks has to be performed.
Multiple data stores increase the difficulty of figuring out who has access to which
resource. There is no obvious way to associate one person with all of their access
accounts in a multiple data store environment. Organizations may not be aware of many
potential security concerns, like a sales rep who used to be in accounting and still has
access to the billing system. With privacy regulations introduced with HIPPA, it has
become essential for many organizations to know exactly who has access to which data,
at all time. Multiple data stores also increase the probability that when an employee
leaves the organization that some of the access points associated with that employee will
not be identified and disabled. As mentioned earlier, these orphan accounts present a real
security threat.
Identity Management
Identity management solutions are frequently proposed as a solution to the escalating
demands of account provisioning. The attraction of these solutions is they offer
integrated management of user identities, which facilitates seamless interaction between
individuals and the machines essential to eBusiness11. These solutions, however, manage
more than the lifecycle of user accounts. Identity management solutions verify the
credentials and manage the access rights of employees, business partners, suppliers,
contractors, and customers. They can extend across all electronic resources in an
organization and can identify who is accessing what, where they are located, what group
they belong to, what applications and operations systems they can use, and once in them,
what they are allowed to see and do.
Active Directory Account Provisioning 6
7. Identity management solutions, though extremely powerful, are also expensive and
difficult to implement. These solutions involve multiple systems, on disparate platforms,
with complex authentication and security protocols. Since they link identity attributes,
policies, and preferences not only behind a corporate firewall but also over the Web, they
require the input and consensus from many different groups, both inside and outside of
the organization, to be successful. Organizations launching an identity management
solution have to address issues like integrating disparate business processes, regulatory
restrictions on personal data, and agreeing upon unsettled standards. Gartner notes that
identity management is a multiyear project, and that not all projects will achieve ROI in
less than a year. They contend that understanding the current workflows and the data
architecture needed for identity management increases the complexity of these projects
and can make them seem overwhelming to many organizations12.
Figure 2. Identity management solutions manage identities and access to systems
and extend beyond the organizational firewall.
For organizations with extended e-business relationships with partners, suppliers,
contractors, and customers, where verifying the person is exactly who they say they are,
and granting access to specific systems based on the verified identities, identity
management solutions are critical and can offer incredible economic benefits. Gartner
estimates that a company with 10,000 employees can save $3.5 million over three years,
and see 295% return on their investment.13
Smaller organizations, and organizations that do not extensively share electronic systems
with partners, suppliers, or customers, though, often find it difficult to justify the time and
upfront expense associated with identity management solutions. These organizations are
still required to support an increasing number of applications and experience much of the
same pain of user account management. They are looking for a less expensive, less
complex, easier to implement, and quicker time to value solution that addresses their
immediate needs and allows them, once they have those under control, to expand to the
other systems in the enterprise.
Active Directory Account Provisioning 7
8. Dream Big, Start Small
Rather than trying to do everything all at once, many organizations are working on
smaller projects that they can eventually unite into a larger identity management solution.
This approach reduces the upfront costs and allows organizations to add features and
capabilities as they have budget, while reaping immediate benefits from the parts they
implement.
Figure 3. The more systems involved in a solution the more complex the project
becomes and the longer the time to value. The preponderance of Active Directory
accounts provides a high value area where substantial returns can be realized in a
fraction of the time and expense of a complete identity management solution.
For organizations interested in pursuing this type of strategy there are a few tried and true
approaches to ensure success14.
• Prioritize: Identify the functions and capabilities that will have the most immediate
impact on your business and, if possible, start with those. By hitting high value items
first, you are ensuring a faster return on your investment.
• Work in phases: Even with the priorities, divide them into smaller projects. Smaller,
finite phases are easier to plan and implement, and less likely to suffer from project
scope “creep”. You can use the ROI from the completed phases to justify the
subsequent phases.
• Develop a long-term vision: Once you have identified priorities, organize them into
an overall vision. The long-term vision will provide a context for understanding how
the smaller projects interrelate and provide a framework for making project
decisions.
• Use standards based infrastructures: If you conform to industry standards then it is
easier to build on your solutions in the future, and you are less likely to run into
incompatibilities and obsolescence issues. Also, standards make it easier for business
partners outside your environment to work with what you develop.
Active Directory Account Provisioning 8
9. Leveraging Your Active Directory Investment
User account lifecycle management is easy to break into smaller projects that can be
prioritized and deployed in phases. With the right long-term plan, an organization can
divide their user account lifecycle management project into small quantifiable objectives,
such as reducing the time required to create new accounts or reducing the time required
to identify and disable inactive accounts. Though small, such objectives can deliver an
immediate ROI.
The first step to solving user account management is consolidating user account
information into a central data repository that you can manage with a consistent set of
access methods and policies. The good news is that with the predominance of the
Windows networking infrastructure, most organizations already have a central data store
implemented in their environment—Active Directory.
Active Directory is a directory service based upon the Lightweight Directory Access
Protocol (LDAP), which stores user information and access rights. Using widely
understood standards, Active Directory supports Windows security and authentication
protocols, which makes it easy to build interoperable solutions on Active Directory is an
ideal user account information repository with over 300 attributes that combine uniquely
to build a user account. Active Directory also supports schema extensions, which add an
incredible amount of power and flexibility to the type of solutions you can define.
Since Active Directory is already installed, and uniquely equipped to handle user account
and access data, it is an ideal cornerstone for a quick time to value user account lifecycle
management solution. From an IT manager’s perspective, it is also completely within the
control of the IT department, which eliminates much of the complexity associated with
cross-functional Identity Management projects.
Active Directory Account Provisioning Solutions
Active Directory account provisioning is basic identity management for Active Directory
user accounts. Active Directory account provisioning takes advantage of the fact that the
majority of account management activities occur in Active Directory, and focuses on
streamlining these activities to get quickest time to value. Active Directory account
provisioning uses the reach of Active Directory to introduce a structured environment for
user account administration, and to coordinate account management and related security
policies across the enterprise. As a result, Active Directory becomes the centralized data
repository for managing user account information and access rights to IT resources and
assets.
Active Directory Account Provisioning 9
10. To create an Active Directory account provisioning solution, organizations are faced with
the decision of whether to build or buy. If they build it, cobbling together the tools
provided with Active Directory and linking them to different process with scripts or code,
they can get exactly what they need. This approach, though, is rather risky since scripts
and custom code are difficult to maintain Active Directory Account
and suffer from compatibility and Provisioning Enables
interoperability issues. In addition, custom
Organizations to :
projects like this can be costly and difficult
to manage Implement self-service solutions for
password resets, Exchange
Another option is to purchase off-the-shelf distribution lists, and white pages
tools. The difficulty with this approach is information
finding exactly what is needed, especially Implement HR driven user account
since every organization manages account udpates
creation, modifications, and deletions Incorporate workflows and approvals
differently. Given the scope of user account into account updates
management, it is unlikely there is one Coordinate Exchange mailboxes
solution that will do everything required. administration with user account
Trying to build a unified solution using administration
unrelated tools is also a challenge. Even Automate home share and disk
tools based on industry standards frequently quotas with account creations
run into incompatibility issues that can
threaten the success of the entire project.
The NetIQ Active Directory Account Provisioning
Solution
NetIQ, a leader in security management, offers an Active Directory account provisioning
solution that allows organizations to meet their immediate Active Directory account
management needs with point of pain solutions, while at the same time lay the
groundwork for future user account lifecycle management solutions. NetIQ provides off-
the-shelf products to address key account management issues that can also be easily
combined together to build more complete account lifecycle management solutions. The
NetIQ approach allows organizations to implement Active Directory account
provisioning in steps, as they have budget.
Active Directory Account Provisioning 10
11. Out-of-the box, NetIQ’s products automate and streamline many user account
administration tasks, such as creating a home share at the same time a new user account
is created. They further reduce IT administrative workload by providing a secure method
to distribute user account administration tasks across the organization. These products
also support a wide spectrum of open, extensible standards including Active Directory
Service Interfaces (ADSI) and Windows Terminal Server (WTS).
One of the features that sets NetIQ products apart from other user account management
solutions is the seamless integration of policy enforcement with directory updates. NetIQ
products make it easy to define and enforce policies and conventions that ensure the
integrity, consistency, and completeness of Active Directory data. These products also
provide comprehensive auditing and reporting. They log all administrative actions and
create an easy-to-follow audit trail. From these logs, customers can track administrative
actions over time to establish correlations, create performance metrics, and enable ROI
analysis.
Figure 4. NetIQ Active Directory account provisioning allows organizations to
automate multi-step business workflows while enforcing security policies.
NetIQ products include easy-to-use automation capabilities that simplify complex multi-
step business workflows. Leveraging NetIQ automation, organizations can update Active
Directory automatically using HR data to grant access rights to new employees and move
home directories automatically when an employee’s site location changes. Automating
work flows reduces mistakes and ensures that all steps are completed. It also reduces the
time and resources required to make user account changes. NetIQ products can also be
used to extend beyond Active Directory to other applications and databases to further
streamline account management tasks.
NetIQ’s Active Directory account provisioning allows organizations to tailor a solution to
meet specific business needs. The product installs quickly. Within hours, organizations
can implement account management solutions that can have an immediate effect on their
bottom line, such as self-service password reset. Organizations can integrate their HR
data with Active Directory so that as they add a user account in the HR system, the
Active Directory account, home share, disk quota, Exchange mailbox, and group
memberships are all created automatically. In addition to the products being quick to
install and featuring a quick time to value, organizations only pay for what they need
when they are ready to use it.
Active Directory Account Provisioning 11
12. Customer examples of NetIQ Active Directory
Account Provisioning Solutions
NetIQ customers have implemented a wide range of Active Directory account
provisioning solutions. From simple self-service password resets to full HR integration,
customers have used NetIQ products to solve their user account administration problems.
Customers have implemented a combination of the following strategies:
• Delegate – empower help desk personnel and non-system administrators to do the
manual account management tasks in a secure and controlled environment.
Delegation moves the function closer to the end user, improving response time and
customer satisfaction, while reducing IT’s involvement in routine administrative
tasks.
• End user self-service – allow end users to directly interact with selected elements of
their account data. Implementing self-service makes end users responsible for
keeping specific data current, such as phone numbers and addresses.
• Automation – have systems perform as many account management tasks as possible.
Automation not only increases productivity but it also ensures consistent application
of policies.
Below are some user account lifecycle issues organizations identified and resolved using
NetIQ solutions.
IT resources overwhelmed
IT resources at a financial institution were overwhelmed with simple
account management tasks and were not able to focus on more strategic
IT projects.
The NetIQ solution implemented secure delegation, which allowed this
organization to safely distribute account administration to departmental
administrators and help desk personnel, freeing up 80% of IT resources
for higher value IT projects.
Account updates taking too long
The turn around time for account updates and account additions at a large
insurance institution was over a week and was costing the organization in
lost productivity.
The NetIQ solution combined self-service and automation to create an
automated web form for account updates and account additions that
allowed employees and their managers with appropriate access, to
directly update Active Directory information. The updates were
instantaneous, which eliminated downtime. They were also subject to
organization naming conventions and policies, which protected the
consistency of the Active Directory information, and were able to be
safely performed by non-IT resources, which freed up IT resources for
other projects.
Active Directory Account Provisioning 12
13. Security concerns
An oil company with offices distributed around the world was concerned
about security issues caused by orphaned user accounts and needed to
meet stricter auditing requirements.
The NetIQ solution automated network auditing and enabled the
organization to quickly identify hundreds of orphaned accounts across
their entire network and disable them. The detailed logging and
reporting allowed the company to meet their audit requirements.
Account updates too expensive
A pharmaceutical company needed to reduce the cost of maintaining user
account information and improve the turn around time for changes.
The NetIQ solution reduced the account maintenance turnaround time
and expense by automating Active Directory account updates from the
HR database. Every night, the process collected all the new employees
in the HR database and created Active Directory accounts with home
directories, Exchange mailboxes, and even basic group memberships,
allowing new employees to be immediately productive. It also collected
selected employee updates, such as department and telephone, and made
those changes to the Active Directory accounts. For employees marked
terminated in the HR database, the solution disabled all access accounts,
preventing possible security threats.
Conclusion
User account lifecycle management is an expensive and time-consuming undertaking. It
can absorb all available IT resources and prevent other more strategic IT projects from
getting the time and attention they deserve. With the ever-increasing number of
applications and data stores enterprises introduce into their environment, the problems
around user account management are only going to grow and demand more time and IT
resources.
Organizations seeking a solution to the escalating IT resource requirements for user
account lifecycle management are frequently drawn to Identity Management solutions,
which promise integrated management of user identities and seamless interaction
between individuals and a variety of applications. These solutions however, extend
beyond the organization to include external partners, suppliers, and customers and can be
expensive and time consuming to implement. Many organizations cannot justify the
upfront cost and long implementation cycles required to develop and deploy an identity
management solution. Active Directory account provisioning is a viable solution for
these organizations.
Active Directory Account Provisioning 13
14. Active Directory account provisioning leverages an organization’s investment in Active
Directory. This approach takes advantage of the fact that the majority of account
management activities occur in Active Directory, and focuses on streamlining these
activities to get quickest time to value. Active Directory becomes the centralized data
repository for managing user account information and access rights to IT resources and
assets. Active Directory account provisioning allows organizations to reap a large
percentage of the cost savings and increased security promised by full-blown identity
management solutions, but at a fraction of the time and expense.
NetIQ offers powerful Active Directory account provisioning solutions that feature
secure delegation, policy enforcement, auditing, and extensive automation capabilities.
NetIQ provides off-the-shelf products that meet immediate user account management
needs. These products can also be combined together to create user account lifecycle
management solutions. The NetIQ enabled Active Directory account provisioning is
incredibly flexible, allowing organizations to quickly build a solution that meets both
their requirements and their budget, while allowing them to easily add functionality in the
future. NetIQ Active Directory account provisioning maximizes an organization’s
investment in Active Directory and reduces the cost and expense of user account
management.
1
META Group White paper, August 2002 “The Value of Identity Management”
2
Computerworld, July 09,2001 “Want to Save Some Money? Automate Password Resets”, Pimm Fox
3
META Group White paper, August 2002, “The Value of Identity Management”
4
Exploring Secure Identity Management in Global Enterprises, Stanford University and Hong Kong
University of Science and Technology, March 2003
55
Exploring Secure Identity Management in Global Enterprises, March 2003, Stanford University and
Hong Kong University of Science and Technology
6
IDC Viewpoint, March 2003, “Identity Management, Integrating People Process and Machines”, David
Senf.
7
META Group White paper, August 2002 “The Value of Identity Management”
8
Exploring Secure Identity Management in Global Enterprises, March 2003, Stanford University and Hong
Kong University of Science and Technology,
9
META Group White paper, August 2002 “The Value of Identity Management”
10
META Group White paper, August 2002 “The Value of Identity Management”
11
IDC, March 7, 2003, “Identity Management: Securing Your e-Business Future”, David Senf
12
Gartner and Price Watherhouse Coopers, 2001, “Identity Management – The business context of
security”
13
Asia Computer Weekly, March 2003, “Identity Management market at a Crossroads”, Queenie Ng
14
Computerworld, July 14, 2003, “ Know Thy Users : Identity Management Done Right”, Deborah
Radcliff
Active Directory Account Provisioning 14